Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
1
Helpful
7
Replies

ISE redundancy failure

CCC3
Level 1
Level 1

‎11-29-2023 02:18 AM - edited ‎11-29-2023 02:18 AM

We are currently trying to tie up redundancy using ISE version 3.2.

Also, at the customer's request, forward/reverse registration is not currently in DNS.

However, I set each other's IP and FQDN using the ip host command.

As far as I know, redundancy is tied up with just the ip host command.

If you attempt duplication, a failure log will appear as shown in the attached file below.

Are you aware of this issue?

ISE model is 3755.

Labels:
Preview file
14 KB
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎11-29-2023 03:16 AM 

However, I set each other's IP and FQDN using the ip host command.

is this config done on ISE side.

DNS is must - i do not believe baseline not changed much even the version increased :

3.2 guide -

Guidelines for Setting Up a Distributed Deployment

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_deployment.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

CCC3
Level 1
Level 1
In response to balaji.bandi

‎11-30-2023 03:53 PM

hello.

The IP HOST command is set in ISE.

They were set to face each other's IP/FQDN,

We are fully aware that DNS registration is essential.

However, as we have built several ISEs, we know that redundancy was possible with just an IP host.

But now an error has occurred, so I'm trying to check if it's a bug in version 3.2 or if there's another problem.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to CCC3

‎11-30-2023 11:53 PM 

However, as we have built several ISEs, we know that redundancy was possible with just an IP host.

Let me be honest - i never tried that ( we generally use host entry to test in normal PC to punch DNS Entry before make any changes on the main DNS system,

as i take it was worked for you before version (not sure what version) and that is not working on ISE 3.2 (that take as defective as TAC case - can you open a TAC case to investigate for you ?)

On personal intrest when you using host entry ISE point to what DNS Server, does command level able to resolve  that DNS entry when you ping from CLI or do nslookup ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎11-29-2023 04:04 AM

Make redundacy meaning use two PSN?

For which purpose you use ISE?

0 Helpful

CCC3
Level 1
Level 1
In response to MHM Cisco World

‎11-30-2023 03:55 PM

.

We are building ise to do tacacs.

It is still in the early stages of construction and redundancy is being tied up.

0 Helpful

Georg Pauwen
VIP
VIP

‎12-02-2023 11:51 AM

Hello,

there is a bug in 3.2 where the DNS query fails when the hostname contains a dash. (-). To verify if you are hitting that bug, what if you use e.g.:

ISETACACS02.kt.com

?

CCC3
Level 1
Level 1
In response to Georg Pauwen

‎12-10-2023 05:12 PM

hello.
The answer was late.

Currently, there is no two-way registration in DNS.
Only ip host is set.

Does the bug you reported apply equally to IP hosts?

Also, can you tell me the bug report ID?

0 Helpful
Customers Also Viewed These Support Documents